DO NOT MERGE Handle bad packet length in gatts_process_read_req

Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.

Bug: 73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit 810e669d7ae55dd50ec1ea159cd87c3f1cdf5695)

diff --git a/stack/gatt/gatt_sr.c b/stack/gatt/gatt_sr.c
index 11ef79c..e159bae 100644 (file)
--- a/stack/gatt/gatt_sr.c
+++ b/stack/gatt/gatt_sr.c
@@ -27,6 +27,7 @@
 
 #if BLE_INCLUDED == TRUE
 #include <string.h>
+#include <log/log.h>
 #include "gatt_int.h"
 #include "l2c_api.h"
 #include "l2c_int.h"
@@ -330,8 +331,6 @@ void gatt_process_exec_write_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U
     tGATT_IF gatt_if;
     UINT16  conn_id;
 
-    UNUSED(len);
-
 #if GATT_CONFORMANCE_TESTING == TRUE
     if (gatt_cb.enable_err_rsp && gatt_cb.req_op_code == op_code)
     {
@@ -344,6 +343,13 @@ void gatt_process_exec_write_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U
     }
 #endif
 
+    if (len < sizeof(flag)) {
+        android_errorWriteLog(0x534e4554, "73172115");
+        GATT_TRACE_ERROR("%s: invalid length", __func__);
+        gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false);
+        return;
+    }
+
     STREAM_TO_UINT8(flag, p);
 
     /* mask the flag */
@@ -1143,7 +1149,13 @@ static void gatts_process_read_req(tGATT_TCB *p_tcb, tGATT_SR_REG *p_rcb, UINT8
     UINT16          offset = 0, value_len = 0;
     BT_HDR          *p_msg = (BT_HDR *)osi_calloc(buf_len);
 
-    UNUSED(len);
+    if (op_code == GATT_REQ_READ_BLOB && len < sizeof(UINT16)) {
+        /* Error: packet length is too short */
+        android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);
+        GATT_TRACE_ERROR("%s: invalid length", __func__);
+        gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, op_code, 0, false);
+        return;
+    }
 
     if (op_code == GATT_REQ_READ_BLOB)
         STREAM_TO_UINT16(offset, p_data);
@@ -1174,7 +1186,7 @@ static void gatts_process_read_req(tGATT_TCB *p_tcb, tGATT_SR_REG *p_rcb, UINT8
     {
         osi_free(p_msg);
 
-        /* in theroy BUSY is not possible(should already been checked), protected check */
+        /* in theory BUSY is not possible(should already been checked), protected check */
         if (reason != GATT_PENDING && reason != GATT_BUSY)
             gatt_send_error_rsp (p_tcb, reason, op_code, handle, FALSE);
     }